diff options
author | Tom Sepez <tsepez@chromium.org> | 2015-09-09 10:16:08 -0700 |
---|---|---|
committer | Tom Sepez <tsepez@chromium.org> | 2015-09-09 10:16:08 -0700 |
commit | 396e872d872b760813036b7e7dd8bb68a8b61598 (patch) | |
tree | 30d129ec8bbc06750d656f3eeef479b6e15936f0 /testing/resources/bug_507316.pdf | |
parent | d6278baea3dec46fec555f7740bde9087e57d8f1 (diff) | |
download | pdfium-396e872d872b760813036b7e7dd8bb68a8b61598.tar.xz |
Merge to XFA:Fix heap use after free in CPDFSDK_Annot::GetPDFAnnot.
(cherry picked from commit 9241e5a43990859f6f9a94aaa2c488d0451039e3)
Original Review URL: https://codereview.chromium.org/1312313006 .
(cherry picked from commit 343dbb841f4c12e819932e2b66dd70f817337d97)
Original Review URL: https://codereview.chromium.org/1325533004 .
BUG=507316
TBR=thestig@chromium.org
Review URL: https://codereview.chromium.org/1332653002 .
Diffstat (limited to 'testing/resources/bug_507316.pdf')
-rw-r--r-- | testing/resources/bug_507316.pdf | 145 |
1 files changed, 145 insertions, 0 deletions
diff --git a/testing/resources/bug_507316.pdf b/testing/resources/bug_507316.pdf new file mode 100644 index 0000000000..13c70830f8 --- /dev/null +++ b/testing/resources/bug_507316.pdf @@ -0,0 +1,145 @@ +%PDF-1.7 +% ò¤ô +1 0 obj << + /Type /Catalog + /Pages 2 0 R + /OpenAction 4 0 R + /AcroForm 3 0 R +>> +endobj +2 0 obj << + /Type /Pages + /Count 3 + /Kids [6 0 R 7 0 R 8 0 R ] +>> +endobj +3 0 obj << + /CO [11 0 R] + /Fields [11 0 R 9 0 R] +>> +endobj +4 0 obj << + /Type /Action + /S /JavaScript + /JS 5 0 R +>> +endobj +5 0 obj <<>> +stream +var i = 0; +function run() +{ + t = this.getField('txtName1'); + t2 = this.getField('txtName2'); + t2.setFocus(); + t.setFocus(); + t.value='G'; +} + +function remove(){ + if (i==1){ + this.removeField('txtName2'); + } + i++; +} + +app.setTimeOut('run()',2000); +endstream +endobj +6 0 obj << + /Type /Page + /Parent 2 0 R + /MediaBox [0 0 612 792] + /Resources <<>> +>> +endobj +7 0 obj << + /Type /Page + /Parent 2 0 R + /MediaBox [0 0 612 792] + /Resources <<>> +>> +endobj +8 0 obj << + /Type /Page + /Parent 2 0 R + /MediaBox [0 0 612 792] + /Resources <<>> + /Annots [9 0 R 11 0 R] +>> +endobj +9 0 obj << + /FT /Tx + /Type /Annot + /Subtype /Widget + /T (txtName2) + /F 4 + /AP <</N 10 0 R>> + /Rect [20 20 400 60] +>> +endobj +10 0 obj << + /Type /XObject + /Subtype /Form + /FormType 1 +>> +endobj +11 0 obj << + /FT /Tx + /Type /Annot + /Subtype /Widget + /T (txtName1) + /F 4 + /AP <</N 12 0 R>> + /Rect [200 200 400 260] + /AA 13 0 R +>> +endobj +12 0 obj << + /Type /XObject + /Subtype /Form + /FormType 1 +>> +endobj +13 0 obj << + /C 14 0 R +>> +endobj +14 0 obj << + /Type /Action + /S /JavaScript + /JS 15 0 R +>> +endobj +15 0 obj <<>> +stream +this.getField('txtName2').value='B'; +this.pageNum=1; +remove(); +endstream +endobj +xref +0 16 +0000000000 65535 f +0000000015 00000 n +0000000106 00000 n +0000000182 00000 n +0000000243 00000 n +0000000309 00000 n +0000000602 00000 n +0000000697 00000 n +0000000792 00000 n +0000000912 00000 n +0000001043 00000 n +0000001113 00000 n +0000001261 00000 n +0000001331 00000 n +0000001365 00000 n +0000001433 00000 n +trailer << + /Size 15 + /Root 1 0 R +>> +startxref +1534 +%%EOF |